New Nokia Smartphones Leak E-mail Passwords 94
Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"
Non-issue? (Score:4, Informative)
This isn't really an issue, is it?
Yes, it sends credentials through to Nokia, but it does _not_ use an un-encrypted HTTP connection to do it. It uses SSL/HTTPS. It's also _not_ done in HTTP Header messages, it's going through in the GET request.
*shrug*
A few details I forgot: (Score:5, Informative)
Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.
I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.
Apparently this has changed now when E75 ships without the original standalone email client.
So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.
Re:Solution: (Score:5, Informative)
Hell, what if you use a ?, & or a # in your password? Something tells me they probably didn't do a url encode.
Although you could have some fun with dumb snoopers out there.
Just make your password:
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera
So the request would be:
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera&
mcc=244&mnc=91&carrier=sonera
Re:Non-issue? (Score:1, Informative)
Exactly..
Nokia system works the same way - you create a master account at Nokia, which holds your credentials for other email accounts.
Mobile email client then talks to Nokia servers who talk to all of your mailboxes.
This article is not news.
Re:A few details I forgot: (Score:5, Informative)
According to the bloggers followup [blogspot.com], at least three models are affected:
5800 (20.0.0.12)
N79 (11.049)
E75 (110.48.78)
Also from the followup:
Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn't clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia's messaging proxy.
Re:Non-issue? (Score:5, Informative)
Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.
So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.
Re:Non-issue? (Score:5, Informative)
Re:An issue. (Score:3, Informative)
nope [slashdot.org].
At least that was very clearly not his intention
Re:A few details I forgot: (Score:4, Informative)
I'm on the server software team, so I'm not completely sure about the client - but as I understand it, the client's hitting our CCDS server to save you the step of putting in server names / ports /etc. The service was written for Nokia Messaging, and is used there, but is also valid for the client to configure its built-in client.
Re:Non-issue? (Score:2, Informative)
IMAP, on a properly written client, in online mode, keeps the connection open and the server notifies the client when new messages arrive.
Comment removed (Score:5, Informative)
Give me a break... (Score:3, Informative)
Here's to sensationalism and mis-representation.
Nokoscope was not started by Nokia, but a one or two developers who happen to work for Nokia. It is not an official Nokia project, nor will it ever be, nor is it 'massive'. It will never be installed by default on any Nokia device.